Wireshark mailing list archives
Re: Question regarding capturing DNS packets with tshark
From: Stuart Kendrick <skendric () fhcrc org>
Date: Thu, 05 Jul 2012 16:47:40 -0700
Hi Braun, I'm guessing that the frame you posted got truncated ... in the DNS frame I'm examining right now, directly after the 'Queries' section, is an 'Answers' section, which contains the IP address I don't have a story as to how that would happen though ... had you captured with 'tshark -s 64 -V port 53 udp', then we'd have a story ... but I see no sign of 'slicking' on your tshark command line. hope this scoots you closer to an answer to your question, --sk On 7/5/2012 4:08 PM, bbrelin () eircom ie wrote:
Hi all,
I'm have a question regarding capturing DNS traffic with tshark. I
do a fairly simple command:
Tshark --V port 53 udp
I'm getting output like so:
Domain Name System (response)
[Request In: 1]
[Time: 0.000380000 seconds]
Transaction ID: 0x0954
Flags: 0x8080 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an
authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query
recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 13
Additional RRs: 1
Queries
blackberry.net.mnc002.mcc505.gprs: type A, class IN
Name: blackberry.net.mnc002.mcc505.gprs
Type: A (Host address)
Class: IN (0x0001)
This is in response to a query about an A record.
My question is: Where is the actual IP address that gets returned in
the DNS response?
Basically, all I want to do is capture DNS queries their responses and
find out exactly what IP address is getting sent back to the client
from the server.
Any help appreciated.
Braun Brelin
p.s. if Guy Harris is still on this mailing list, Hi there Guy! J
***************************************************************
The information contained in this e-mail and any files transmitted
with it is confidential and may be subject to legal professional
privilege. It is intended solely for the use of the addressee(s).
If you are not the intended recipient of this e-mail, please note
that any review, dissemination, disclosure, alteration, printing,
copying or transmission of this e-mail and/or any file transmitted
with it, is prohibited and may be unlawful.
If you have received this e-mail by mistake, please promptly
inform the sender by reply e-mail and delete the material.
Whilst this e-mail message has been swept for the presence of
computer viruses, eircom does not, except as required by law,
represent, warrant and/or guarantee that the integrity
of this communication has been maintained nor that
the communication is free of errors, viruses, interception or
interference.
eircom Limited. Private Company Limited by Shares.
Registered in Dublin. Registration Number 98789.
Registered Office - 1 Heuston South Quarter, St. John's Road, Dublin 8.
***************************************************************
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets with tshark Stuart Kendrick (Jul 05)
- Re: Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets withtshark Maynard, Chris (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark Maynard, Chris (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regarding capturing DNSpackets withtshark Maynard, Chris (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark bbrelin (Jul 05)
- Re: Question regardingcapturing DNSpackets withtshark Martin Visser (Jul 05)
- Re: Question regarding capturing DNS packets with tshark bbrelin (Jul 05)
- Re: Question regarding capturing DNS packets with tshark Stuart Kendrick (Jul 05)